Apple's June 2024 withholding just became standing policy

Apple will not ship its next-generation Siri stack in the European Union. The company requested an exemption from the Digital Markets Act’s interoperability obligations. The request was denied. The rollout stopped. No CVE gets assigned for this. CVSS does not score it. Nothing was exploited. A capability embedded in tens of millions of devices was withdrawn from an entire jurisdiction by one corporate decision responding to one regulatory decision. That is the finding worth analysing. Not the assistant. The architecture that makes instant, total, unilateral withdrawal possible.

The regulatory mechanics are short. Apple was designated a gatekeeper under the DMA in September 2023, with iOS, Safari, and the App Store listed as core platform services. Article 6(7) obliges gatekeepers to give third parties effective interoperability with hardware and software features controlled by the operating system, free of charge. Non-compliance carries fines up to 10 percent of global annual turnover, 20 percent for repeat infringement. Apple has invoked this provision before. In June 2024 it withheld Apple Intelligence, iPhone Mirroring, and SharePlay Screen Sharing from EU users, stating that DMA interoperability requirements would force it to compromise the integrity of its products. The Siri decision extends the same position, with the exemption path now formally tested and closed. The pattern is no longer a one-off. It is policy on both sides.

The bug class is control-plane concentration. Modern Siri is not an on-device feature with a cloud assist. It is a distributed inference system. A small on-device model handles trivial intents. Private Cloud Compute handles heavy inference. Server-side entitlement gates decide which accounts, regions, and hardware classes receive which capabilities. The entitlement check executes at Apple’s edge, not on the handset. Flip a region flag and the capability ceases to exist on every device in that jurisdiction simultaneously. No client patch. No version delta. No user action. The same mechanism that enables staged rollouts, A/B gating, and emergency feature pulls enables total withdrawal. A kill switch is not a defect in this architecture. It is the deployment model working as designed.

Availability is the neglected leg of the CIA triad, and this is what its failure looks like at scale. Security teams model availability threats as DDoS, ransomware, and infrastructure loss. The model is incomplete. Policy is an availability threat. A vendor’s cost-benefit calculation is an availability threat. The Siri withdrawal is a 100 percent availability loss for an entire region, executed cleanly, instantly, with no recovery path that affected parties control. If a threat actor produced the same outcome, it would be a named campaign with an incident retrospective. Because a vendor produced it in response to a regulator, it is a press release.

The mechanism behind the standoff matters because it is structural, not contingent. Article 6(7) compliance would require Apple to expose the hooks Siri itself uses: intent resolution through App Intents, cross-app context aggregation, on-screen content awareness. Apple’s position is that those interfaces were designed inside a closed trust boundary, and opening them to arbitrary third parties converts a private integration layer into an exposure surface it cannot attest or constrain. The Commission’s position is that closed integration is self-preferencing by a gatekeeper. Both sides read the same trade-off correctly, which is exactly why no exemption was coming. Mandated interoperability expands the API surface. Refusal removes the service. Both branches change the security posture of every dependent system. Neither branch is controlled by anyone who depends on the system.

The exploit path requires no exploit. A forced shutdown via regulatory ruling is functionally a vendor-level denial of service executed with full authorization. Compare the work factor. A threat actor wanting control of a vendor’s feature-gating plane needs T1195 supply chain compromise or T1584 infrastructure acquisition, persistence inside a hardened deployment pipeline, and sustained evasion of internal detection. A regulator needs a ruling. A vendor needs a spreadsheet showing withdrawal costs less than compliance. The capability gap between compromise and compliance is paperwork. Every downstream dependency - Shortcuts automations, accessibility workflows, App Intents integrations, enterprise apps routing voice or context through the assistant layer - inherits the outcome without being party to either side of the decision.

For enterprise consumers the correct framing is supply chain, not consumer features. A hosted AI capability is an unpinned dependency with no lockfile equivalent. There is no semantic version to hold, no artifact to mirror, no hash to verify against. The dependency is a network call to an endpoint whose behaviour, model weights, and existence change without a changelog entry the consumer controls. Jurisdictional withdrawal is one mutation among many: silent model swaps, quota changes, deprecation windows measured in weeks. Software supply chain security spent a decade building SBOMs and provenance attestation for code. None of that tooling describes a model endpoint. The inventory format for AI dependencies does not exist yet, and the Siri case shows what the missing column is. Jurisdiction.

Run the counterfactual. Apple complies instead. Third-party assistants receive the same hooks: intent routing, context aggregation, screen awareness. That is new IPC surface on hundreds of millions of devices. New entitlements. New consent flows. New privilege boundaries between assistant processes and app data. Vulnerability researchers would spend the next three years hunting confused-deputy bugs in that layer, and some of those bugs would be real. Either branch of the decision generates security consequences. Compliance expands the interface. Refusal proves the kill switch exists. The branch that was never on the table is the one where dependent systems hold an availability guarantee.

The second failure class is data access control, and it cuts in an unexpected direction. Centralized assistants aggregate the highest-value dataset on a device: cross-app context, message content, mail, screen state, location. Apple engineered Private Cloud Compute specifically to make server-side inference defensible: custom silicon, cryptographically attested OS images, no persistent storage of request data, published system images for external inspection, and client-side verification that a request releases only to an attested node. As public cloud inference designs go, it is the strongest available. It was also irrelevant to this failure mode. The threat that materialised was not memory disclosure, not a malicious insider, not a compromised node. It was a legal obligation to open the same context pathways to third parties, an obligation the trust model could not absorb without dismantling itself. The access control failure occurred at the jurisdiction layer, not the enclave layer. Enclave hardening does not address obligations written into law.

The pattern has priors. Meta withheld its multimodal Llama models from the EU in July 2024, citing regulatory uncertainty. Same calculus, different logo. CrowdStrike, 19 July 2024: one defective content update pushed from a centralized control plane took roughly 8.5 million Windows hosts down with no adversary involved. Okta, October 2023: a breach of the centralized support system exposed HAR files containing session tokens, and the blast radius landed on downstream tenants, with Cloudflare among those who caught and reported the intrusion. Different triggers - policy, defect, compromise - but one structural property shared across all three. Concentration converts any single failure into systemic failure. Centralization is efficient until the day it is not, and on that day there is no failover, because there was never a second control plane.

What fires in telemetry when a vendor withdraws a capability: nothing. There is no Sysmon event ID for an entitlement flag flipped at a vendor edge. No EDR alert category covers capability withdrawal by jurisdiction. Clients degrade silently. The API returns a capability-unavailable response, dependent apps fall back or fail, and the de facto detection mechanism is the help desk queue. SIEM correlation assumes attacks carry technique signatures. This carries none. The deeper gap is inventory: most organisations cannot enumerate which production workflows call which hosted model endpoint under which jurisdiction, which means the failure cannot be modelled before it happens. The instrumentable signals are thin but real. Egress mapping to model-provider endpoints. Per-region API error-rate deltas. Vendor status feeds parsed into alerting rather than read after the fact. Contract clauses specifying notification lead time for capability changes, treated as a control with an owner. The honest summary is that availability of a third-party AI control plane is currently monitored by reading the vendor’s newsroom, and most teams discover the dependency at the moment it fails.

There is no patch boundary here. No fixed version exists, because the condition is the design rather than a defect in it. Every workflow built on a centralized AI service carries a dependency whose availability is settled in a negotiation between a vendor and a regulator, and neither party appears in the dependent organisation’s escalation chain. The mitigations are architectural. On-device or self-hosted inference for load-bearing paths. Capability fallbacks exercised as tested failure modes, not theoretical edge cases. Jurisdiction recorded as a dependency attribute next to version pinning and CVE exposure. Exit criteria written before the integration ships, not after the press release. Siri in the EU is the visible instance. The class is every API key to a hosted model endpoint sitting in production code right now. CVEs get patched. Architecture gets repeated.

See also: NordVPN for tunneled traffic when operating outside controlled networks.

---

#ad Contains an affiliate link.